From c1331a592acafd8cbcca1f7822134180a9da8024 Mon Sep 17 00:00:00 2001
From: Josh Knapp <jknapp85@gmail.com>
Date: Fri, 15 May 2026 05:48:14 -0700
Subject: [PATCH] waf-block page: escape literal % as %% (HAProxy lf-file
 expansion)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

End-to-end test of the 403 page showed CSS `100%` rendering as `100`
and gradient stops `0%, 100%` rendering as `0, 100` — HAProxy's
`lf-file` directive runs log-format expansion over the file content,
and `%` is the format-escape character. Single `%` is consumed by
the expander.

Doubled every literal CSS percentage (`100%%`, `0%%`, etc.) so HAProxy
emits a single `%` in the rendered body. Format expressions like
`%[unique-id]` and `%[req.hdr(host)]` stay single-`%` — those are the
substitutions we want.

Added a comment block at the top of the file documenting the gotcha for
future editors.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 errors/403-waf.html | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/errors/403-waf.html b/errors/403-waf.html
index 6bcace1..b35bbb4 100644
--- a/errors/403-waf.html
+++ b/errors/403-waf.html
@@ -1,4 +1,12 @@
 <!DOCTYPE html>
+<!--
+  Served by HAProxy via `lf-file` on Coraza WAF deny.
+  IMPORTANT: HAProxy's lf-file expansion treats `%` as the start of a
+  log-format expression. Literal percent signs (CSS 100%, gradient stops,
+  url-encoded data, etc.) MUST be doubled as `%%` or HAProxy will silently
+  swallow them. Expressions like `%[unique-id]` / `%[req.hdr(host)]` stay
+  single-`%` — those are the substitutions we want.
+-->
 <html lang="en">
 <head>
 <meta charset="utf-8">
@@ -7,11 +15,11 @@
 <title>Request blocked &middot; %[req.hdr(host)]</title>
 <style>
   *, *::before, *::after { box-sizing: border-box; }
-  html, body { margin: 0; padding: 0; height: 100%; }
+  html, body { margin: 0; padding: 0; height: 100%%; }
   body {
     font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial, sans-serif;
     color: #1f2937;
-    background: linear-gradient(135deg, #f9fafb 0%, #eef2f7 100%);
+    background: linear-gradient(135deg, #f9fafb 0%%, #eef2f7 100%%);
     display: flex;
     align-items: center;
     justify-content: center;
@@ -23,7 +31,7 @@
     border-radius: 12px;
     box-shadow: 0 1px 3px rgba(0,0,0,0.05), 0 12px 32px rgba(31,41,55,0.08);
     max-width: 560px;
-    width: 100%;
+    width: 100%%;
     padding: 36px 40px;
   }
   .badge {